[RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image

[RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image

[Kairui Song]

Hi,

This is a different approach for the previous patch:
[RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
make kexec_file_load be able to verify the kernel image against keys
provided by platform or firmware.

This patch adds a .platform_trusted_keys in system_keyring as the reference
to .platform keyring in integrity subsystem, when platform keyring is
being initialized it will be updated.

Another thing on my mind is that now kexec_file_load will still relay on
CONFIG_INTEGRITY_PLATFORM_KEYRING and all its dependencies to be enabled
to be able to verify the image against firmware keys. I'm thinking about
to have something like CONFIG_PLATFORM_KEYRING and make the .platform
keyring could be enabled for a more wider usage. Not sure if it's a good
idea though.

Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.

Kairui Song (2):
  integrity, KEYS: add a reference to platform keyring
  kexec, KEYS: Make use of platform keyring for signature verify

 arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
 certs/system_keyring.c            | 10 +++++++++-
 include/keys/system_keyring.h     |  5 +++++
 include/linux/verification.h      |  1 +
 security/integrity/digsig.c       |  4 ++++
 5 files changed, 29 insertions(+), 4 deletions(-)

-- 
2.20.1

[RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring

[Kairui Song]

Currently kexec_file_load will verify the kernel image being loaded
against .builtin_trusted_keys or .secondary_trusted_keys, but the
image could be signed with third part keys which will be provided by
platform or firmware and the keys won't be available in keyrings mentioned
above.

After commit ea93102f3224 ('integrity: Define a trusted platform keyring')
a .platform keyring is introduced to store the keys provided by platform
or firmware. And with a few following commits, now keys required to verify
the image is being imported to .platform keyring, but currently, only
IMA-appraisal could use the keyring and verify the image.

This patch exposes the .platform and makes other components, like
kexec_file_load, could use this .platform keyring to verify the
kernel image.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
---
 certs/system_keyring.c        | 3 +++
 include/keys/system_keyring.h | 5 +++++
 security/integrity/digsig.c   | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 81728717523d..a61b95390b80 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 static struct key *secondary_trusted_keys;
 #endif
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+struct key *platform_trusted_keys;
+#endif
 
 extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 359c2f936004..9eaf01d01036 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -61,5 +61,10 @@ static inline struct key *get_ima_blacklist_keyring(void)
 }
 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
 
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+
+extern struct key *platform_trusted_keys;
+
+#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */
 
 #endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index f45d6edecf99..26206240388d 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -89,6 +89,10 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
 		keyring[id] = NULL;
 	}
 
+	if (id == INTEGRITY_KEYRING_PLATFORM) {
+		platform_trusted_keys = keyring[id];
+	}
+
 	return err;
 }
 
-- 
2.20.1

Re: [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring

[Mimi Zohar]

On Thu, 2019-01-10 at 00:48 +0800, Kairui Song wrote:
> Currently kexec_file_load will verify the kernel image being loaded
> against .builtin_trusted_keys or .secondary_trusted_keys, but the
> image could be signed with third part keys which will be provided by
> platform or firmware and the keys won't be available in keyrings mentioned
> above.
> 
> After commit ea93102f3224 ('integrity: Define a trusted platform keyring')
> a .platform keyring is introduced to store the keys provided by platform
> or firmware. And with a few following commits, now keys required to verify
> the image is being imported to .platform keyring, but currently, only
> IMA-appraisal could use the keyring and verify the image.
> 
> This patch exposes the .platform and makes other components, like
> kexec_file_load, could use this .platform keyring to verify the
> kernel image.

The "platform" keyring was upstreamed in order to verify the kernel
image being loaded by the kexec_file_load syscall.  The intentions of
this patch description needs to be clearer.

> 
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Kairui Song <kasong@redhat.com>
> ---
>  certs/system_keyring.c        | 3 +++
>  include/keys/system_keyring.h | 5 +++++
>  security/integrity/digsig.c   | 4 ++++
>  3 files changed, 12 insertions(+)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 81728717523d..a61b95390b80 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
>  #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
>  static struct key *secondary_trusted_keys;
>  #endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +struct key *platform_trusted_keys;

Please make it static.

Mimi

> +#endif

[RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Kairui Song]

kexec_file_load will need to verify the kernel signed with third part
keys, and the keys could be stored in firmware, then got loaded into
the .platform keyring. Now we have a .platform_trusted_keyring
as the reference to .platform keyring, this patch makes use if it and
allow kexec_file_load to verify the image against keys in .platform
keyring.

This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
should verify the signature using platform keyring. Also, decrease
the error message log level when verification failed with -ENOKEY,
so that if called tried multiple time with different keyring it
won't generate extra noises.

Signed-off-by: Kairui Song <kasong@redhat.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
 certs/system_keyring.c            |  7 ++++++-
 include/linux/verification.h      |  1 +
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 7d97e432cbbc..a8a5c1773ccc 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -534,9 +534,16 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len,
-				       VERIFY_USE_SECONDARY_KEYRING,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	int ret;
+	ret = verify_pefile_signature(kernel, kernel_len,
+			VERIFY_USE_SECONDARY_KEYRING,
+			VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+				VERIFY_USE_PLATFORM_KEYRING,
+				VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
 }
 #endif
 
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index a61b95390b80..7514e69e719f 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -18,6 +18,7 @@
 #include <linux/verification.h>
 #include <keys/asymmetric-type.h>
 #include <keys/system_keyring.h>
+#include <keys/platform_keyring.h>
 #include <crypto/pkcs7.h>
 
 static struct key *builtin_trusted_keys;
@@ -239,12 +240,16 @@ int verify_pkcs7_signature(const void *data, size_t len,
 		trusted_keys = secondary_trusted_keys;
 #else
 		trusted_keys = builtin_trusted_keys;
+#endif
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
+		trusted_keys = platform_trusted_keys;
 #endif
 	}
 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
 	if (ret < 0) {
 		if (ret == -ENOKEY)
-			pr_err("PKCS#7 signature not signed with a trusted key\n");
+			pr_devel("PKCS#7 signature not signed with a trusted key\n");
 		goto error;
 	}
 
diff --git a/include/linux/verification.h b/include/linux/verification.h
index cfa4730d607a..018fb5f13d44 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -17,6 +17,7 @@
  * should be used.
  */
 #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
+#define VERIFY_USE_PLATFORM_KEYRING  ((struct key *)2UL)
 
 /*
  * The use to which an asymmetric key is being put.
-- 
2.20.1

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Dave Young]

On 01/10/19 at 12:48am, Kairui Song wrote:
> kexec_file_load will need to verify the kernel signed with third part
> keys, and the keys could be stored in firmware, then got loaded into
> the .platform keyring. Now we have a .platform_trusted_keyring
> as the reference to .platform keyring, this patch makes use if it and
> allow kexec_file_load to verify the image against keys in .platform
> keyring.
> 
> This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
> VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
> should verify the signature using platform keyring. Also, decrease
> the error message log level when verification failed with -ENOKEY,
> so that if called tried multiple time with different keyring it
> won't generate extra noises.
> 
> Signed-off-by: Kairui Song <kasong@redhat.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
>  certs/system_keyring.c            |  7 ++++++-
>  include/linux/verification.h      |  1 +
>  3 files changed, 17 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7d97e432cbbc..a8a5c1773ccc 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -534,9 +534,16 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len,
> -				       VERIFY_USE_SECONDARY_KEYRING,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	int ret;
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +			VERIFY_USE_SECONDARY_KEYRING,
> +			VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +				VERIFY_USE_PLATFORM_KEYRING,
> +				VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
>  }
>  #endif
>  
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index a61b95390b80..7514e69e719f 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -18,6 +18,7 @@
>  #include <linux/verification.h>
>  #include <keys/asymmetric-type.h>
>  #include <keys/system_keyring.h>
> +#include <keys/platform_keyring.h>
>  #include <crypto/pkcs7.h>
>  
>  static struct key *builtin_trusted_keys;
> @@ -239,12 +240,16 @@ int verify_pkcs7_signature(const void *data, size_t len,
>  		trusted_keys = secondary_trusted_keys;
>  #else
>  		trusted_keys = builtin_trusted_keys;
> +#endif
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
> +		trusted_keys = platform_trusted_keys;
>  #endif
>  	}
>  	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
>  	if (ret < 0) {
>  		if (ret == -ENOKEY)
> -			pr_err("PKCS#7 signature not signed with a trusted key\n");
> +			pr_devel("PKCS#7 signature not signed with a trusted key\n");
>  		goto error;
>  	}
>  
> diff --git a/include/linux/verification.h b/include/linux/verification.h
> index cfa4730d607a..018fb5f13d44 100644
> --- a/include/linux/verification.h
> +++ b/include/linux/verification.h
> @@ -17,6 +17,7 @@
>   * should be used.
>   */
>  #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
> +#define VERIFY_USE_PLATFORM_KEYRING  ((struct key *)2UL)
>  
>  /*
>   * The use to which an asymmetric key is being put.
> -- 
> 2.20.1
> 

Personally I would like to see platform key separated from integrity.
But for the kexec_file part I think it is good at least it works with
this fix.

Acked-by: Dave Young <dyoung@redhat.com>

Thanks
Dave

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Mimi Zohar]

On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
[snip]

> Personally I would like to see platform key separated from integrity.
> But for the kexec_file part I think it is good at least it works with
> this fix.
> 
> Acked-by: Dave Young <dyoung@redhat.com>

The original "platform" keyring patches that Nayna posted multiple
times were in the certs directory, but nobody commented/responded.  So
she reworked the patches, moving them to the integrity directory and
posted them (cc'ing the kexec mailing list).  It's a bit late to be
asking to move it, isn't it?

Mimi

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Dave Young]

Hi,

On 01/11/19 at 11:13am, Mimi Zohar wrote:
> On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> [snip]
> 
> > Personally I would like to see platform key separated from integrity.
> > But for the kexec_file part I think it is good at least it works with
> > this fix.
> > 
> > Acked-by: Dave Young <dyoung@redhat.com>
> 
> The original "platform" keyring patches that Nayna posted multiple
> times were in the certs directory, but nobody commented/responded.  So
> she reworked the patches, moving them to the integrity directory and
> posted them (cc'ing the kexec mailing list).  It's a bit late to be
> asking to move it, isn't it?

Hmm, apologize for being late,  I did not get chance to have a look the
old series.  Since we have the needs now, it should be still fine

Maybe Kairui can check Nayna's old series, see if he can do something
again?

> 
> Mimi
> 

Thanks
Dave

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Kairui Song]

Hi, Mimi, Dave

I checked the previous patches:
https://www.spinics.net/lists/keyrings/msg03518.html
https://www.spinics.net/lists/keyrings/msg03517.html
https://www.spinics.net/lists/keyrings/msg03516.html

That the latest patched I could found that placed the platform keyring in certs/
However it didn't cc kexec list, and so I think Dave didn't receive them.

I could compose a patch to use the previous design, how do you think?


On Sun, Jan 13, 2019 at 9:40 AM Dave Young <dyoung@redhat.com> wrote:
>
> Hi,
>
> On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > [snip]
> >
> > > Personally I would like to see platform key separated from integrity.
> > > But for the kexec_file part I think it is good at least it works with
> > > this fix.
> > >
> > > Acked-by: Dave Young <dyoung@redhat.com>
> >
> > The original "platform" keyring patches that Nayna posted multiple
> > times were in the certs directory, but nobody commented/responded.  So
> > she reworked the patches, moving them to the integrity directory and
> > posted them (cc'ing the kexec mailing list).  It's a bit late to be
> > asking to move it, isn't it?
>
> Hmm, apologize for being late,  I did not get chance to have a look the
> old series.  Since we have the needs now, it should be still fine
>
> Maybe Kairui can check Nayna's old series, see if he can do something
> again?
>
> >
> > Mimi
> >
>
> Thanks
> Dave



--
Best Regards,
Kairui Song

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Mimi Zohar]

On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
> Hi,
> 
> On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > [snip]
> > 
> > > Personally I would like to see platform key separated from integrity.
> > > But for the kexec_file part I think it is good at least it works with
> > > this fix.
> > > 
> > > Acked-by: Dave Young <dyoung@redhat.com>
> > 
> > The original "platform" keyring patches that Nayna posted multiple
> > times were in the certs directory, but nobody commented/responded.  So
> > she reworked the patches, moving them to the integrity directory and
> > posted them (cc'ing the kexec mailing list).  It's a bit late to be
> > asking to move it, isn't it?
> 
> Hmm, apologize for being late,  I did not get chance to have a look the
> old series.  Since we have the needs now, it should be still fine
> 
> Maybe Kairui can check Nayna's old series, see if he can do something
> again?

Whether the platform keyring is defined in certs/ or in integrity/ the
keyring id needs to be accessible to the other, without making the
keyring id global.  Moving where the platform keyring is defined is
not the problem.

Commit a210fd32a46b ("kexec: add call to LSM hook in original
kexec_load syscall") introduced a new LSM hook.  Assuming
CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima:
prevent kexec_load syscall based on runtime secureboot flag") we can
now block the kexec_load syscall.  Without being able to block the
kexec_load syscall, verifying the kexec image signature via the
kexec_file_load syscall is kind of pointless.

Unless you're planning on writing an LSM to prevent the kexec_load
syscall, I assume you'll want to enable integrity anyway.

Mimi

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Dave Young]

On 01/14/19 at 11:10am, Mimi Zohar wrote:
> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
> > Hi,
> > 
> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > > [snip]
> > > 
> > > > Personally I would like to see platform key separated from integrity.
> > > > But for the kexec_file part I think it is good at least it works with
> > > > this fix.
> > > > 
> > > > Acked-by: Dave Young <dyoung@redhat.com>
> > > 
> > > The original "platform" keyring patches that Nayna posted multiple
> > > times were in the certs directory, but nobody commented/responded.  So
> > > she reworked the patches, moving them to the integrity directory and
> > > posted them (cc'ing the kexec mailing list).  It's a bit late to be
> > > asking to move it, isn't it?
> > 
> > Hmm, apologize for being late,  I did not get chance to have a look the
> > old series.  Since we have the needs now, it should be still fine
> > 
> > Maybe Kairui can check Nayna's old series, see if he can do something
> > again?
> 
> Whether the platform keyring is defined in certs/ or in integrity/ the
> keyring id needs to be accessible to the other, without making the
> keyring id global.  Moving where the platform keyring is defined is
> not the problem.

Agreed, but just feel kexec depends on IMA sounds not good.

> 
> Commit a210fd32a46b ("kexec: add call to LSM hook in original
> kexec_load syscall") introduced a new LSM hook.  Assuming
> CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima:
> prevent kexec_load syscall based on runtime secureboot flag") we can
> now block the kexec_load syscall.  Without being able to block the
> kexec_load syscall, verifying the kexec image signature via the
> kexec_file_load syscall is kind of pointless.
> 
> Unless you're planning on writing an LSM to prevent the kexec_load
> syscall, I assume you'll want to enable integrity anyway.

User can disable kexec_load in kernel config, and only allow
kexec_file_load.  But yes, this can be improved separately in case no
IMA enabled.

For the time being we can leave with it and fix like this series do.

> 
> Mimi
> 

Thanks
Dave

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Kairui Song]

On Tue, Jan 15, 2019 at 10:42 AM Dave Young <dyoung@redhat.com> wrote:
>
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
> > On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
> > > Hi,
> > >
> > > On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > > > [snip]
> > > >
> > > > > Personally I would like to see platform key separated from integrity.
> > > > > But for the kexec_file part I think it is good at least it works with
> > > > > this fix.
> > > > >
> > > > > Acked-by: Dave Young <dyoung@redhat.com>
> > > >
> > > > The original "platform" keyring patches that Nayna posted multiple
> > > > times were in the certs directory, but nobody commented/responded.  So
> > > > she reworked the patches, moving them to the integrity directory and
> > > > posted them (cc'ing the kexec mailing list).  It's a bit late to be
> > > > asking to move it, isn't it?
> > >
> > > Hmm, apologize for being late,  I did not get chance to have a look the
> > > old series.  Since we have the needs now, it should be still fine
> > >
> > > Maybe Kairui can check Nayna's old series, see if he can do something
> > > again?
> >
> > Whether the platform keyring is defined in certs/ or in integrity/ the
> > keyring id needs to be accessible to the other, without making the
> > keyring id global.  Moving where the platform keyring is defined is
> > not the problem.
>
> Agreed, but just feel kexec depends on IMA sounds not good.
>
> >
> > Commit a210fd32a46b ("kexec: add call to LSM hook in original
> > kexec_load syscall") introduced a new LSM hook.  Assuming
> > CONFIG_KEXEC_VERIFY_SIG is enabled, with commit b5ca117365d9 ("ima:
> > prevent kexec_load syscall based on runtime secureboot flag") we can
> > now block the kexec_load syscall.  Without being able to block the
> > kexec_load syscall, verifying the kexec image signature via the
> > kexec_file_load syscall is kind of pointless.
> >
> > Unless you're planning on writing an LSM to prevent the kexec_load
> > syscall, I assume you'll want to enable integrity anyway.
>
> User can disable kexec_load in kernel config, and only allow
> kexec_file_load.  But yes, this can be improved separately in case no
> IMA enabled.
>
> For the time being we can leave with it and fix like this series do.
>
> >
> > Mimi
> >
>
> Thanks
> Dave

Yes, for now, I think it's good to fix the problem by following this
patch series and get kexec_file_load work with platform keyring first.
Will adopt suggestion from Mimi in the previous reply and update the
patch series.

For other remaining potential issues, kexec_load not being protected,
it could be disabled by config, and the improvement may require more
discussion. And issues like where the keyring is located, dependency
to making the keyring available for more general use could be
discussed later.

--
Best Regards,
Kairui Song

Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[nayna]

On 2019-01-14 21:42, Dave Young wrote:
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
>> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
>> > Hi,
>> >
>> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
>> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
>> > > [snip]
>> > >
>> > > > Personally I would like to see platform key separated from integrity.
>> > > > But for the kexec_file part I think it is good at least it works with
>> > > > this fix.
>> > > >
>> > > > Acked-by: Dave Young <dyoung@redhat.com>
>> > >
>> > > The original "platform" keyring patches that Nayna posted multiple
>> > > times were in the certs directory, but nobody commented/responded.  So
>> > > she reworked the patches, moving them to the integrity directory and
>> > > posted them (cc'ing the kexec mailing list).  It's a bit late to be
>> > > asking to move it, isn't it?
>> >
>> > Hmm, apologize for being late,  I did not get chance to have a look the
>> > old series.  Since we have the needs now, it should be still fine
>> >
>> > Maybe Kairui can check Nayna's old series, see if he can do something
>> > again?
>> 
>> Whether the platform keyring is defined in certs/ or in integrity/ the
>> keyring id needs to be accessible to the other, without making the
>> keyring id global.  Moving where the platform keyring is defined is
>> not the problem.
> 
> Agreed, but just feel kexec depends on IMA sounds not good.

The platform keyring is not dependent on IMA, it is dependent on 
"integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING, 
CONFIG_EFI.

Thanks & Regards,
    - Nayna